Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network such as the Internet. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets the IPsec client on the remote PC and the ASA agree on how to build an IPsec Security Association. Each ISAKMP negotiation is divided into two sections called Phase1 and Phase2.
Phase 1 creates the first tunnel to protect later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data travelling across the secure connection.
To set the terms of the ISAKMP negotiations, you create an ISAKMP policy. It includes the following:
An authentication method, to ensure the identity of the peers.
An encryption method, to protect the data and ensure privacy.
A Hashed Message Authentication Codes (HMAC) method to ensure the identity of the sender and to ensure that the message has not been modified in transit.
A Diffie-Hellman group to set the size of the encryption key.
A time limit for how long the ASA uses an encryption key before replacing it.
A transform set combines an encryption method and an authentication method. During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. The transform set must be the same for both peers.
A transform set protects the data flows for the ACL specified in the associated crypto map entry. You can create transform sets in the ASA configuration, and then specify a maximum of 11 of them in a crypto map or dynamic crypto map entry. For more overview information, including a table that lists valid encryption and authentication methods, see the “Creating an IKEv1 Transform Set” section in Chapter 10, “Configuring LAN-to-LAN IPsec VPNs” of this guide.
You can configure the ASA to assign an IPv4 address, an IPv6 address, or both an IPv4 and an IPv6 address to an AnyConnect client by creating internal pools of addresses on the ASA or by assigning a dedicated address to a local user on the ASA.
The endpoint must have the dual-stack protocol implemented in its operating system to be assigned both types of addresses. In both scenarios, when no IPv6 address pools are left but IPv4 addresses are available or when no IPv4 address pools are left but IPv6 addresses are available, connection still occurs. The client is not notified; however, so the administrator must look through the ASA logs for the details.
Assigning an IPv6 address to the client is supported for the SSL protocol. This feature is not supported for the IKEv2/IPsec protocol.
Licensing Requirements for Remote Access IPsec VPNs
The following table shows the licensing requirements for this feature:
NoteThis feature is not available on No Payload Encryption models.
IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2:
Base license: 10000 sessions.
1.The maximum combined VPN sessions of all types cannot exceed the maximum sessions shown in this table. For the ASA 5505, the maximum combined sessions is 10 for the Base license, and 25 for the Security Plus license.
2.A shared license lets the ASA act as a shared license server for multiple client ASAs. The shared license pool is large, but the maximum number of sessions used by each individual ASA cannot exceed the maximum number listed for permanent licenses.
3.The AnyConnect Essentials license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license.
Note: With the AnyConnect Essentials license, VPN users can use a Web browser to log in, and download and start (WebLaunch) the AnyConnect client.
The AnyConnect client software offers the same set of client features, whether it is enabled by this license or an AnyConnect Premium SSL VPN Edition license.
The AnyConnect Essentials license cannot be active at the same time as the following licenses on a given ASA: AnyConnect Premium license (all types) or the Advanced Endpoint Assessment license. You can, however, run AnyConnect Essentials and AnyConnect Premium licenses on different ASAs in the same network.
By default, the ASA uses the AnyConnect Essentials license, but you can disable it to use other licenses by using the no anyconnect-essentials command.
For a detailed list of the features supported by the AnyConnect Essentials license and AnyConnect Premium license, see AnyConnect Secure Mobility Client Features, Licenses, and OSs:
An ASA has at least two interfaces, referred to here as outside and inside. Typically, the outside interface is connected to the public Internet, while the inside interface is connected to a private network and is protected from public access.
To begin, configure and enable two interfaces on the ASA. Then assign a name, IP address and subnet mask. Optionally, configure its security level, speed and duplex operation on the security appliance.
To configure interfaces, perform the following steps, using the command syntax in the examples:
hostname(config)# interface ethernet0
Enters interface configuration mode from global configuration mode.
ip address ip_address [mask] [standby ip_address]
hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
Sets the IP address and subnet mask for the interface.
hostname(config-if)# nameif outside
Specifies a name for the interface (maximum of 48 characters). You cannot change this name after you set it.
hostname(config-if)# no shutdown
Enables the interface. By default, interfaces are disabled.
Configuring ISAKMP Policy and Enabling ISAKMP on the Outside Interface
This section describes the procedure to configure an ISAKMP policy on the outside interface and how to enable the policy.
The ASA requires a method for assigning IP addresses to users. This section uses address pools as an example. Use the command syntax in the following examples as a guide.
ip local pool poolname first-address—last-address [mask mask]
ip local pool testpool 192.168.0.10-192.168.0.15
Creates an address pool with a range of IP addresses, from which the ASA assigns addresses to the clients.
The address mask is optional. However, You must supply the mask value when the IP addresses assigned to VPN clients belong to a non-standard network and the data could be routed incorrectly if you use the default mask. A typical example is when the IP local pool contains 10.10.10.0/255.255.255.0 addresses, since this is a Class A network by default. This could cause routing issues when the VPN client needs to access different subnets within the 10 network over different interfaces.
Adding a User
This section shows how to configure usernames and passwords. Use the command syntax in the following examples as a guide.
hostname(config-ipsec-proposal)# protocol esp encryption
des integrity md5
Configures an IKEv2 proposal set that specifies the IPsec IKEv2 protocol, encryption, and integrity algorithms to be used.
esp specifies the Encapsulating Security Payload (ESP) IPsec protocol (currently the only supported protocol for IPsec).
Use one of the following values for encryption:
des to use 56-bit DES-CBC encryption for ESP.
3des (default) to use the triple DES encryption algorithm for ESP.
aes to use AES with a 128-bit key encryption for ESP.
aes-192 to use AES with a 192-bit key encryption for ESP.
aes-256 to use AES with a 256-bit key encryption for ESP.
null to not use encryption for ESP.
Use one of the following values for integrity:
md5 specifies the md5 algorithm for the ESP integrity protection.
sha-1 (default) specifies the Secure Hash Algorithm (SHA) SHA-1, defined in the U.S. Federal Information Processing Standard (FIPS), for ESP integrity protection.
Defining a Tunnel Group
This section describes how to configure a tunnel group, which is a set of records that contain tunnel connection policies. You configure a tunnel group to identify AAA servers, specify connection parameters, and define a default group policy. The ASA stores tunnel groups internally.
There are two default tunnel groups in the ASA system: DefaultRAGroup, which is the default remote-access tunnel group, and DefaultL2Lgroup, which is the default LAN-to-LAN tunnel group. You can change them but not delete them. The ASA uses these groups to configure default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group identified during tunnel negotiation.
Perform the following task:
tunnel-group name type type
tunnel-group testgroup type ipsec-ra
Creates an IPsec remote access tunnel-group (also called connection profile).
(Optional) Configures a pre-shared key (IKEv1 only). The key can be an alphanumeric string from 1-128 characters.
The keys for the adaptive security appliance and the client must be identical. If a Cisco VPN Client with a different preshared key size tries to connect, the client logs an error message indicating it failed to authenticate the peer.
Note Configure AAA authentication for IKEv2 using certificates in the tunnel group webvpn-attributes.
Creating a Dynamic Crypto Map
This section describes how to configure dynamic crypto maps, which define a policy template where all the parameters do not have to be configured. These dynamic crypto maps let the ASA receive connections from peers that have unknown IP addresses. Remote access clients fall in this category.
Dynamic crypto map entries identify the transform set for the connection. You also enable reverse routing, which lets the ASA learn routing information for connected clients, and advertise it via RIP or OSPF.
Perform the following task:
For IKEv1, use this command:
crypto dynamic-map dynamic-map-name seq-num set ikev1 transform-set transform-set-name
hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
For IKEv2, use this command:
crypto dynamic-map dynamic-map-name seq-num set ikev2 ipsec-proposal proposal-name
hostname(config)# crypto dynamic-map dyn1 1 set ikev2 ipsec-proposal FirstSet
Creates a dynamic crypto map and specifies an IKEv1 transform set or IKEv2 proposal for the map.
crypto dynamic-map dynamic-map-name dynamic-seq-num set reverse-route
hostname(config)# crypto dynamic-map dyn1 1 set reverse route
(Optional) Enables Reverse Route Injection for any connection based on this crypto map entry.
Creating a Crypto Map Entry to Use the Dynamic Crypto Map
This section describes how to create a crypto map entry that lets the ASA use the dynamic crypto map to set the parameters of IPsec security associations.
In the following examples for this command, the name of the crypto map is mymap, the sequence number is 1, and the name of the dynamic crypto map is dyn1, which you created in the previous section, “Creating a Dynamic Crypto Map.”